dt.iki.fi

Installing a Commercial SSL Server Certificate (nginx)

Since CACert still isn't "Browser Trusted", and I still don't want to use letsencrypt, I decided to give this a try. The company resides inside the European Union and is the cheapest I could find.

This was the process to get the certificate for anyone who's interested:

  • Pay first. Get an online account.
  • Once they see the money they let you procede to the activation process.
  • Create a certificate signing request thusly:
    openssl req -new -newkey rsa:2048 -nodes -keyout server.key -out server.csr
  • Paste the content of server.csr into the CSR window.
  • Verify - I chose the method "Place a file on your server that contains the activation code", and deleted the file again once that was done.
  • Another Email with another link. Download the certificate and intermediate certificates all the way down to the root certificate (the one your browser actually "trusts"). They will have to get concatenated in the exact order they appear on the website:
    cat actual_certificate.pem domain_validation.pem trusted_network.pem root.pem > cert.chained.pem (*)
  • Tell nginx to use your server.key and your cert.chained.pem, as explained here.

That's it really.
I also tested the result with this command:
openssl s_client -connect dt.iki.fi:443
but really one can see it best in the Browser (click on the green lock).

(*) The certificate chain is explained nicely here.